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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was 
established by the Homeland Security Act of 2002 {Public Law 107-296) by amendment to 
the Inspector General Act of 1978. This is one of a series of audit, inspection, and special 
reports prepared as part of our oversight responsibilities to promote economy, efficiency, and 
effectiveness within the department. 

This report presents the information technology (IT) management letter for the 
Transportation Security Administration (TSA) balance sheet audit as of September 30, 2007. 
It contains observations and recommendations related to information technology internal 
control that were not required to be reported in the financial statement audit report (OIG-08- 
57, May 2008) and represents the separate restricted distribution report mentioned in that 
report. The independent accounting firm KPMG LLP (KPMG) performed the audit of TSA's 
FY 2007 financial statements and prepared this IT management letter. KPMG is responsible 
for the attached IT management letter dated February 8, 2008, and the conclusions expressed 
in it. We do not express opinions on DHS' financial statements or internal control or 
conclusion on compliance with laws and regulations. 

The recommendations herein have been developed to the best knowledge available to our 
office, and have been discussed in draft with those responsible for implementation. It is our 
hope that this report will result in more effective, efficient, and economical operations. We 
express our appreciation to all of those who contributed to the preparation of this report 




Richard L. Skinner 
Inspector General 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 

February 8, 2008 

Chief Financial Officer 
Transportation Security Administration 

Chief Information Officer 
Transportation Security Administration 

Inspector General 

U.S. Department of Homeland Security 
Ladies and Gentlemen: 

We have audited the consolidated balance sheet of the U.S. Department of Homeland Security's (DHS) 
Transportation Security Administration (TSA) as of September 30, 2007, and have issued our report 
thereon dated February 8, 2008. In planning and performing our audit of the consolidated balance sheet 
of TSA, we considered internal control over financial reporting in order to determine our auditing 
procedures for the purpose of expressing an opinion on the consolidated balance sheet. An audit does not 
include examining the effectiveness of internal control and does not provide assurance on internal control 
over financial reporting. We have not considered internal control since the date of our report. 

We noted certain matters involving internal control and other operational matters with respect to 
information technology that are summarized and presented in Exhibit A for your consideration. These 
comments and recommendations, all of which have been discussed with the appropriate members of 
management and have been communicated through the issued Notices of Finding and Recommendation, 
are intended to improve information technology internal control or result in other operating efficiencies; 
and are intended For Official Use Only. Exhibits B - D present additional information for 
management's use. Exhibit E contains a copy of the written TSA's management response to the draft 
letter. Our findings involving internal control and other operational matters that do not relate to 
information technology have been presented in our Independent Auditors' Report, dated February 8, 
2008, and in a separate letter to the Office of Inspector General and the DHS Chief Financial Officer 
dated December 21 , 2007. 

Our audit procedures are designed primarily to enable us to form an opinion on the consolidated balance 
sheet, and therefore, may not bring to light all weaknesses in policies or procedures that may exist We 
aim, however, to use our knowledge of TSA's organization gained during our work to make comments 
and suggestions that we hope will be useful to you. We would be pleased to discuss these comments and 
recommendations with you at any time. 

This report is intended solely for the information and use of TS A and DHS management, DHS Office of 
Inspector General, Office of Management and Budget, U.S. Government Accountability Office, and the 
U.S. Congress, and is not intended to be and should not be used by anyone other than these specified 
parties. 

Very truly yours, 

K*P#KCr LLP 
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OBJECTIVE, SCOPE AND APPROACH 

We performed audit procedures over the U.S. Department of Homeland Security's (DIIS) Transportation 
Security Administration's (TSA) general controls in support of the fiscal year 2007 TSA balance sheet 
audit The overall objective of our audit procedures was to evaluate the effectiveness of information 
technology (IT) general controls of TSA's financial processing environment and related IT infrastructure 
as necessary to support the engagement. Further information related to the scope of the TSA's IT general 
controls assessment is described in Exhibit B. The Federal Information System Controls Audit Manual 
(FISCAM), issued by the Government Accountability Office, formed the basis of our audit procedures. 

FISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist 
them in planning their audit work and to integrate the work of auditors with other aspects of the financial 
audit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review 
that generally should be performed when evaluating general controls and the IT environment of a federal 
agency, FISCAM defines the following six control functions to be essential to the effective operation of 
the general IT controls environment, 

» Entity-wide security program planning and management - Controls that provide a framework and 
continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, 
and monitoring the adequacy of computer-related security controls. 

• Access control - Controls that limit and/or monitor access to computer resources (data, programs, 
equipment, and facilities) to protect against unauthorized modification, loss, and disclosure. 

• Application software development and change control - Controls that help to prevent the 
implementation of unauthorized programs Or modifications to existing programs. 

• System software - Controls mat limit and monitor access to powerful programs that operate computer 
hardware. 

• Segregation of duties — Controls that constitute policies, procedures, and an organizational structure to 
prevent one individual from controlling key aspects of computer-related operations, thus, deterring 
unauthorized actions or access to assets or records. 

• Service continuity — Controls that involve procedures for continuing critical operations without 
interruption, or with prompt resumption, when unexpected events occur. 

- In addition, we assessed the DHS component's compliance with the National Institute of Standards and 
Technology's „ (NIST) Special Publication, 800-53, Recommended Security Controls for Federal 
Information Systems and DHS* Information Technology Security Program Publication, 4300A. 

To complement our general IT controls audit procedures, we also performed technical security testing for 
key network and system devices, The technical security testing was performed from within select DHS 
facilities, and focused on test, development, and production devices that directly support TSA's financial 
processing and key general support systems. 

In addition to testing TSA's general control environment, we performed" application control tests on a 
limited number of TSA financial systems and applications. The application confeol testing was performed 
to assess me controls that support the financial systems' internal controls over flue input, processing, and 
output of liii^niaal dataarsdtaMactiom 
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• Application Controls - Application controls are the structure, policies, and procedures that apply to 
separate, individual application systems, such as accounts payable, inventory, or payroll. 



SUMMARY OF FINDINGS AND RECOMMENDATIONS 

The U.S. Coast Guard's | I hosts key financial applications for TSA. As such, 

our audit proc edures ov er information technology (IT) general controls for TSA included testing of the 
Coast Guard's | | policies, procedures, and practices, as well as at TSA Headquarters. 

During fi scal year 2007, there were ten TSA prior year findings that were properly closed. During the 
year, the | | took steps to address known weaknesses, such as expanding password lengths on key 
financial systems and taking steps to improve the service continuity processes. 

Despite these improvements, during our current year test work, we noted that 14 prior year findings had 
not been resolved, and we issued 1 1 new findings. These issues collectively limit TSA's ability to ensure 
that critical financial and operational data is maintained in a manner to ensure confidentiality, integrity, 
and availability. In addition, these weaknesses negatively impacted the internal controls over TSA 
financial reporting and its operation. TSA and Coast Guard management should ensure an emphasis is 
placed on the monitoring and enforcement of IT security-related policies and procedures^OnHgoing 
measures to improve the IT security considerations for key financial systems hosted by | | and 
implement effective access controls and change controls need to be completed. Additionally, many of the 
repeat vulnerabilities in system access and configuration controls that were identified during technical 
security testing can be addressed by ensuring that the security configurations associated with the builds, 
service packs, and software patches are in compliance with DHS and National Institute of Standards and 
Technology (NIST) standards. 

FINDINGS BY AUDIT AREA 



Conditions: I n fiscal ye ar 2007, the following IT and financial system control weaknesses were identified 
at TSA and at | |. Many of the issues identified during our fiscal year 2007 engagement were also 
identified during fiscal year 2006. The following IT and financial system control weaknesses result in IT 
being reported as a material weakness. 

A. Access Controls 

Access controls for general support systems and applications should provide reasonable assurance that 
computer resources such as data files, application programs, and compiite-relaied facilities and 
equipment are protected against unauthorized modification, disclosure, loss, or impairment Access 
controls arc facilitated by an organization's mtity-wide security program. Such controls include physical 
controls, such as keeping computes in locked rooms to limit physical-access, and logical controls, such as 
security software programs designed to prevent or detect unauthorized access., to Sensitive files. 
Inadequate access controls dnnintih the leiafoiiity of computerized data and increase the risk of 
destruction or inappropriate disclosure off Momafipn. 
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During fiscal year 2007, we noted that | | had made progress toward the improvement of access 
controls surrounding the financial applications by expanding password lengths on key financial sy stems, 
improving the personnel entrance and exit procedures, and improving control access over the | 
operating system environment. However, we also noted several repeat access control weaknesses, in 
addition to the identification of several new weaknesses. The weaknesses were identified as a result of 
general controls and vulnerability testing. These are significant issues because personnel inside the 
organization who best understand -the organization's systems, applications, and business processes are 
able to obtain unauthorized access to TSA data. 

Conditions noted during our test work at | | and TSA Headquarters regarding access controls that 
impact TSA's financial processing are as follows; 

• Missing or weak user passwords were identified on key servers and databases that process and 
support TSA financial data. ■ . • 

• Excessive administrative privileges were identified on the ^HB WWBBlBIBBBBMiB- 

• Certain workstations, servers, and network devices were not configured with the necessary security 
patches, or were not configured in the most secure manner. 

• Accounts of terminated employees and contractors are not removed&om^B| in a timely manner. 

• Procedures for the authorizationj regular review, and removal of | | system access were not 
for malized and were inconsistent 

• The BHBH UBmi and | | have been configured to automatically end date 
accounts that have not been used in six months," however, DHS guidance requires accounts that have 
been inactive for 30 days be disabled. 

• Policy and procedures for a formalized sanctioning process for individuals who do not follow 
computer access policies and procedures have not been fully developed and implemented. 
Specifically, the policies and procedures do not include consequences for individuals who do not sign 
the computer access agreements of complete initial or refresher security awareness training. 
Furthermore, of the nine individuals selected for testing, only one had completed a computer access 
agreement. . 

• Procedures requiring the review of the activities of | | system administrators are not formally 
documented. 

• Audit logging has not been enabled with in the | | system. Additionally, audit trails of appropriate 
user actions, including changes to security profiles, are not generated and maintained for certain 
applications 

Recommendation: 

We recommend that the TSA Chief Financial Office (CFO) and Chief Information Officer (CIO) ensure 
the following corrective actions are implemented: 

1 . Enforce password controls tot meet DHS password requirements on key financial systems. 

2. Remove all generic shared system accounts or establish individual accountability for these accounts. 
If these accounts cannot, be removed, enable audit logging to capture the user*s operating system 
logon ID so that individual accoimtabibfy can be established for each instance of when these accounts 
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3. Develop and implement a process for performing scans of the network environment, including the 
financial processing environment, for the identification and correction of vulnerabilities in accordance 
with DHS and Federal guidance. These scans should occur on a regular basis, especially after the 
implementation of a software release. ' 

4. Track and end-date/disable inactive and/or separated personnel II accounts in 
compliance with DHS requirements. 

5. Develop and implement formal entity-wide procedures for controlling the processes associated with 
the granting, monitoring, and terminating user accounts that require the periodic revalidation of user 
profiles by local security administrators that comply with existing policies (TSA needs to take this 
action). 

6. Ensure that computer access agreements are completed for all TSA employees and contractors with . 
access to financial applications (TSA needs to take this action). 

7. Continue the development and implementation of a sanctioning process for both TSA employees and 
contractors if requirements surrounding the completion of security awareness and training, and 
computer access agreements are not met. 

8. Establish detailed procedures for audit trail generation, review and management on the | | system 
accounts. The procedures should discuss the conditions under which the audit trails should be 
generated and reviewed, the frequency of the reviews, and the basis for determining when suspicious 
activity should be investigated. In addition, sufficient resources should be allocated to ensure the 
proper implementation and monitoring of these procedures. 

B. Application Software Development and Change Control 

Conditions noted during our test work at j| | and TSA Headquarters regarding the change control 
process that impact TSA's financial processing are as follows: 

• Several weaknesses exist in the change control processes for | |- Specifically, 
change control procedures were not properly developed, formal change request forms were not in use, 
and test plans and results were not documented. 

• A separate and secondary change control pro cess outsi de of and conflicting with the established 
change control process is in operation at the | |- Speci fically , this second change control 
process is used to create additional functionality or correct data in H to compensate for gaps in the 
customized software. During our testing of this separate process, we identified it to be informal, 
undocumented, and not effective. 

Recommendation: 

We recommend that the TSA CFO and CIO ensure the following corrective actions are implemented: 

1. Develop and enforce a standard set of configuration management procedures for developing and 
documenting test plans, documenting test results, delivering and implementing software, and 
management approving system changes for normal and emergency upgrade situations. 

2. Implement a single, integrated change control process over the Coast Guards' financial systems with 
appropriate internal controls to include clear lines of authority to me componente* financial 
management personnel and to enforce i®^pmsi>ilities of all participants in the process and 
documentation lequiiements. 
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C. Entity-Wide Security Program Planning and Management 

During fiscal year 2007, we not ed continu ed weaknesses in the area of entity-wide security program 
planning and management at both | | and at TSA Headquarters. Specifically, conditions noted that 
impact TSA's financial processing are as follows: 

• The contract that Coast Guard Headquarters has with its software vendor does not include security 
configuration requirements mat must be adhered to during the configuration management process. 
Consequently, system builds and maintenance packs may not be configured and implemented with 
comprehensive security configuration req uirements. 

• Background investigations of | | civilian and contractors employed to operate, manage and 
provide security over IT systems are not being consistently conducted. 

• TSA allows individuals to complete security awareness training within 60 days of beginning work 
and gaining access to their local area network (LAN) and application accounts. However, DHS 
guidance requires that all individuals complete security awareness training prior to gaining access to 
the information systems. Furthermore, of our sample of nine individuals for testing, one contractor 
had not completed initial security awareness training this fiscal year and a second employee had not 
completed the refresher training for this fiscal year. 

• Eleven of a sample of 30 TSA 1402 forms, Separating Non-Screener Employee and Contractor IT 
Certificates, were received. Additionally, of the 1 1 received, seven of the forms did not have the 
appropriate TSA applications) identified in order to deactivate the separating employee's accounts. 
Furthermore, we selected 30 TSA 1163 forms, the Employee Exit Clearance form, for both 
contractors and TSA personnel and only received nine completed forms. 

• Coast Guard IT security role-based training policies and procedures lack appropriate criteria for 
defining personnel with significant IT responsibilities. Additionally, the personnel mat are defined in 
the policy are very limited and do not fully cover the scope of security responsibilities addressed in 
DHS requirements. 

• The Certification and Accreditation (C&A) package of a key system was not complete and in 
accordance with DHS requirements. 

Recommendation: 

We recommend that the TSA CFO and CIO ensure the following corrective actions are implemented: 

1 . Reevaluate and revise the contract between Coast Guard and its software vendor or otherwise ensure 
that the security configurations associated with me builds, service packs, and software patches are in 
compliance with DHS and NIST stan dards. 

2. Enforce DHS policy to ensure that all fl | contractors and employees go through the appropriate 
background/suitability check. 

3. Enforce the DHS policy by having all new and existing users and contractors complete the security 
awareness training. 

4. Ensure that TSA employees consistently complete the required paperwork for terminated personnel. 

5. Enhance current policies and procedures for IT role-based training to mequiie those with critical 
security responsibilities,, such as. network administrators, system administrators, senior managers and 
system owners, to complete the role-based training on an annual basis and deploy the IT role-based 
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training of civilian personnel with critical IT positions down to the Coast Guard component levels for 
implementation. 

6. Update the C&A package to ensure that each subsystem component is fully described in the system 
security plan* an appropriate security categorization is assigned, and an appropriate set of security 
controls are identified in accordance with NIST guidance. 

D. Service Continuity 

During fiscal year 2007, we noted that the Coast Guard has continued to take corrective actions to address 
prior year weaknesses related to service continuity. Despite these improvements, weaknesses still exist 
that pose a risk of losing the capability to process, retrieve, and protect information maintained 
electronically which could impact TSA' s ability to accomplish financial processing requirements. 

Conditions noted at | | regarding service continuity controls that impact TSA's financial processing 
are as follows: 

• One of the business continuity plans is in draft form and has not been tested. 

• A memorandum of understanding (MQU) for business continuity services is currently in draft form. 

« Nineteen of 79 individuals who had access to the data center, had not yet completed the emergency 
response training, as follows: 

- 13 individuals (building owners, property managers and their respective contractors) 

- 4 members of | | Senior Management 

- 2 security guards 

• Lastly, we identified four employees, each with 24 hour access to the data center, that had not yet 
completed the emergency response training as of July 2007. Uponnotifying | | of this 
exception, the four individuals completed the training and | | provided the necessary 
supporting evidence. 

Recommendation: 

We recommend that the TSA CFO and CIO ensure the following corrective actions are implemented: 

1 . Finalize and implement the Continuity of Operations Plan (COOP) and ensure that it addresses 
disaster recovery procedures. 

2. Periodically test the business continuity plan and evaluate the results so that the plan can be adjusted 
to correct any deficiencies identified during testing. 

3. Finalize the MOU for business continuity services and document associated restoration procedures so 
that a specific Coast Guard component can serve as an alternate processing site in die event that the 



4. Ensure that all personnel with access to the data center have completed the data center emergency 
response training. 




is unavailable. 
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E, 



System Software 



We did opt identify any findings in the area of system software during the fiscal year 2007 TSA balance 
sheet audit. 



F. 



Segregation of Duties 



We did not identify any findings in the area of segregation of duties during the fiscal year 2007 TSA 
balance sheet audit. 



G. Application Control Findings 

We did not identify any findings in the area of application controls during the fiscal year 2007 TSA 
balance sheet audit. . 
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TSA's Management Response and OIG Evaluation 



We obtained written comments on a draft of this letter from the TSA CFG and CIO. We have included 
TSA's written comments in Exhibit H of this letter. 

The OIG agrees with the steps that TSA is taking to satisfy these recommendations. 
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DESCRIPTION OF FINANCIAL SYSTEMS AND IT INFRASTRUCTURE WITHIN THE 
SCOPE OF THE FY 2007 TSA BALANCE SHEET AUDIT 

Below is a description of significant TSA financial management systems and supporting information 
technology (IT) infrastructure included in the scope of the fiscal year 2007 balance sheet audit. 

Locations of Audit: TSA Headqua rters in HIHL^flLH and the Coast Guard 

|. TSA's financial applications are hosted on, the Coast Guard's IT 
platforms. 



Key Systems Subject to Audit: 



that records financial 
in 



- ^| is the 

transactions and generates financial statements for t he Coast Guard. 

interfaces with the 

Additional ly, IHI f* ixe d asset ( FA) modu le for property management is interconnected to the 
| system that is hosted at 





| - The H application used to create and post obligations 
to the^^H^HHHL^H' R allows users to enter funding; create purchase requests, issue 
procurement dqcuments> perfo rm sy stem administration responsibiliti^^rodxeconcile weekly 
program ele ment status reports. is intercon nected with the HHH^^^HI systems and is 
located at the 



1 is a customized third party commercial off . the shelf (CO TS) product used 
for TSA and^^^^^B|H||H|^H^^^J>roperty management. MHjnteracts directly 
with the FA Inlimt^B Ailililiiiniillji H^MI is interconnected to the I 
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FY 2007 TSA IT NOTICES OF FINDING AND RECOMMENDATION 

Notices of Finding and Recommendation - Definition of Risk Ratines: 

The Notice of Fm<$tags and RecQ^ risk ranked as High, Medium, and Low 

based upon the potential impact that each weakness could have on the DHS component's control 
environment and on the integrity of the financial data residing on the DHS component's financial 
systems. In addition, analysts was conducted collectively on all the NFRs to assess connections 
between individual NFRs, which when joined together could lead to a control weakness occurring 
with more likelihood and/or higher impact potential. 

High Risk : A control weakness serious in nature to create a potential material misstatement to the 
financial statements. 

Medium Risk : A control weakness, in conjunction with other events, less severe in nature than a 
high risk issue, which could lead to a misstatement to the financial statements. 

Low Risk: A control weakness minimal in impact to the financial statements. 

The risk ratings included in this report are intended solely to assist jnatnagement in prioritizing its 
corrective actions. 
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STATUS OF PRIOR YEAR TSA IT NOTICES OF FINDING AND 
RECOMMENDATION 







17 -'PjiP."4wi%te 4 ;,\ 


TSA-IT 06- 
001 


Service contimiitv weaknesses for 1 t§j including 
outdated Business Continuity Contingency Plan (BCCP), lack 'of disaster 
recovery procedure details, an off-site storage location in close proximity to 
the data center, and lack of BCCP testing exist. 




TSA-IT- 
07-01 


TSA-IT-06- 
002 


A comprehensive incident capability that includes designated response team 
members and procedures for. incident handling to help ensure that the 
incident is properly handed has not been documented and implemented. 


x 






| emergency procedures are in place for the evacuation of | 






TSA-IT-06- 
003 


and its data center; however, no emergency re-entry procedures exist within 
this directive. Additionally, no policies and procedures are in place to guide 
and document the emergency training of data center personnel. Lastly, the 
concept of "least privilege" has not been implemented with regard to the data 
center. 




TSA-IT- 
07-04 




Although backup tapes for | | are created on a regular basis, 






TSA-IT-06- 
004 


testing procedures have not been documented in accordance with | 






Instruction. Additionally, although H backup tapes are rotated off-site to 
the H, Hi backups have not been included in the rotation process. 
Lastly, tape transfer logs are not being completed in their entirety . 


x 
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Configuration weaknesses over | | workstations allowed users to 
fnodifosensitive workstation system and security settings. Upon notification, 


X 




005 


|| management took immediate action to correct the configuration 






settings. 






TSA-IT-06- 
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Weaknesses were noted regarding | | personnel entrance and exit 
procedures for civilian, contractor and military personnel. 


X 




TSA.rr-06- 

007 


A || Security Configuration Management Plan does not exist that 
clearly delineates the roles and responsibilities between Global Computer 
Enterprises (GCE), and the | |N. GCE is the organization under contract 
by Coast Guard to manage the HH and JH software programs. 
Consequently, the System Security Plans for the ^| and H applications 
do not include key security control information such as the current security 
configuration management process, including delineation of responsibilities 
for all involved parties. 


X 




TSAJT-06- 
008 


Technical testragidrntified patch management weaknesses on hosts 
supporting the H and H applications which could allow for a remote 
attacker to gain full control of the affected host and could lead to the 
compromise of the avadahshty, confidentiality and integrity of ]|H and | 
data. 




TSA-rr- 

07-18 


TSA-rr-06- 

009 


Technical testing identified configuration management weaknesses on hosts 
supporting the | | and H applications. Specifically, servers were 
identified with excessive access privileges, and password and auditing 
configuration weaknesses. 5 




TSA-rr- 

07-19 


TSA-rr-06- 

010 


Mot Used. 
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TSA-IT-06- 
011 



TSA-IT-06- 
012 




The MOU between and Treasury Financial Management Service 
expired daring FY 2006. , 



An agreement for system softw are a nd hardware support for the four 
production databases including the H| production database expired on May 
31, 2006, A request to renew the contract is pending; however, there is no 
other contractual agreement to cover the maintenance of their software and 
hardware during this lapse in service contracts. 



X 



TSA-IT-06- 
013 



Manager Review of System Administration Monitor Procedures do not note 
the periods of review that are being monitored and who is responsible for 
performing the reviews, and evidence that the manager review was 
performed could only be obtained for March 2006, Additionally, for the first 
half of the fiscal year, Unix system administration monitoring was not 
performed by a man ager or group outside of the three systems administrators. 
Additionally, | | access request form s are not consistently maintained and 
the account of a contractor that left | | remained active for eight 
months after the contractor's departure. 



TSA-IT-06- 
014 
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015 



The following |H access control weaknesses were identified: 

1. Password configurat ions for the application and database were not in 
compliance with the fl| | Password Policy Standard Operating 
Procedure (SOP). ' 

2. Users are not locked out of their ^| application accounts after three 
invalid logon attempts. 

3. Audit logging has not been enabled within the H application or 
database. 

4. Individuals who were n o lon ger employed with | | were found to 
hav e acti ve accounts within H|. 

5. || account reviews have not been performed on a periodic basis for 
srsonnel. . 

The following j^H access control weaknesses were identified: 

1. Password confi gurations for the application and database were not in 
compliance with the B B Passw ord Po licy SOP. 

2. Users are not locked out of their ^| accounts after three invalid logon 



3. Policies and procedures for application and database audit log 
management have not been documented, and audit logs that are generated are 
being revie wed by the database administrators, no t by an ex ternal parry. 



TSA-IT- 
07-08 



TSA-IT- 
07-09 
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TSA-IT-06- 
017 
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018 
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TSA-1T-06- 
020 



The following ■ | access control weaknesses were identified: 

1 . Password configurations for the application and database were not in 
compliance with the | | Pass word Policy SOP. 

2. Users are not looked out of the | | application after three invalid 
logon attempts. 

3. Audit logging has not been enabled within the | | application or 
database. 



| accounts are not immediately disabled upon an employee's termination, 
and no policies and p roced ures exist for the periodic review of TSA 

B mnel with access to ^Bj. 
accounts are not immediately disabled upon an employee's termination. 
Ad dition ally, formalized policies and pr ocedu res for the periodic review of 
the H accounts do not exist. Lastly, H| access request forms are not 
consistently completed. 



accounts are not immediately disabled upon an employee's 
termination. Additionally, policies and procedu res do not e xist requiring the 

periodic review of TSA personnel with access to 

The TSA Form 1402, IT off-boarding form for Non-Screeners and 
Contractors, is not consistently completed for terminated personnel. 
Specifically, we identified that the form was unavailable for thirty-eight (38) 
of sixty (60) terminated employees selected for testing. Additionally, eight 
(8) out of the twenty-two (22) forms received were incomplete. 



X 



TSA-IT-06- 
021 



Security awareness training and Computer Access Agreements are not 
consistently completed. Additionally^ TSA has not documented sanctioning 
procedures to be enforced when users of TSA information systems are in 
violation of the computer access agreements and security policies. 



TSA-IT-06- 
022 



TSA has not docu mented policies and procedures surrounding the change 
control process for HR&rmalized a tracking process of its own change 
requests submitted to U B, or retained documentation associated with 
the requests (i.e., initial approvals, testing and final approvals). 



TSA-IT-06- 
023 



Guidance for performing suitability screening for all contractors is 
considered interim and not final; therefore, Coast Guard will wait until the 
policy is finalized before moving forward on cond ucting background 
investigations on contractors. Additionally, fl | does not perform 
background investigations or verify that outsi de backgro und investigations 
have been performed for contractors working at | |. Lastly, risk levels 
for contractor personnel with access to DHS information systems have not 
been assigned. 



TSA-IT-06- 
024 



Excessive access has been granted within I | Specifically, of tile 27 
individuals that have been granted Authorized Certifying Officer privileges 
to approve invoices of any dollar vatas, four were not justified in having such 
privileged access. 
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l!.S. Department of Homeland Security 



Office of Finance and Administration 
601 South 12* Street 
Arlington. VA 22202-4204 



APR 1 1 2008 




Transportation 

Security 

Administration 



Mr. Frank Deffer 

Assistant Inspector General, Information Technology Audits 
Office of Inspector General 
Department of Homeland Security 
Washington, DC 20528 

Dear Mr. Deffen 

Thank you for the opportunity to review and comment on we draft report titled, v y»#raa//o>? 
Technology Management Letter for the FY 2007 TSA Financial Statement Audit" We have reviewed 
the report and its recommendations, and we concur. 

The report has identified a series of information technology related internal control weaknesses. 
Many of these weaknesses stem from TSA's use of financial applications hosted by the United States 
Coast Guard (USCG). While responsibility for many of the corrective actions ultimately falls upon 
USCG, my staff works closely with their USCG counterparts to monitor overall corrective action 
progress. . • 

Through discussions with OIG staff, my staff has previously voiced concern about our ability to 
take aggressive corrective action oh material weaknesses which are within the purview of another 
DHS component organization. During Fiscal Year (FY) 2008, we would appreciate the opportunity 
to further discuss mis matter so that the recommendations of your FY 2008 report can have maximum 
impact 

On behalf of Administrator Hawley, please accept my thanks for the efforts of your audit team. 
Your report clearly identifies me financial systems challenges that TSA and USCG face and helps us 
to prioritize corrective actions as we strive toward our goal of an unqualified audit opinion. 



Sincerely, 




TSvTdR. Nicholson 
Assistant Administrator and Chief Rnandial Officer 
Office of Finance and Administration 
Chief Information Officer (Acting) 



cc: 



AmSmAGmasmmhult fcPlirjtning, Resources and Procurement 
United States Ccasl Guwti 
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Department of Homeland Security 

Secretary 

Deputy Secretary 

General Counsel 

Chief of Staff 

Deputy Chief of Staff 

Executive Secretariat 

Under Secretary, Management 

Acting Assistant Commissioner, TSA 

DHS Chief Information Officer 

DHS Chief Financial Officer 

Chief Financial Officer, TSA 

Chief Information Officer, TSA 

Chief Information Security Officer 

Assistant Secretary for Policy 

Assistant Secretary for Public Affairs 

Assistant Secretary for Office of Legislative Affairs 

DHS GAO OIG Audit Liaison 

Chief Information Officer, Audit Liaison 

TSA Audit Liaison 

Office of Management and Budget 

Chief, Homeland Security Branch 
DHS OIG Budget Examiner 

Congress 

Congressional Oversight and Appropriations Committees, as appropriate 
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Additional Information and Copies 

To obtain additional copies of this report, call the Office of Inspector General 
(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web 
site at www.dhs.gov/oig. 



OIG Hotline 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of 
criminal or noncriminal misconduct relative to department programs or 
operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, Attention: 
Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 

The OIG seeks to protect the identity of each writer and caller. 



